Popular Tweets
A list of popular tweets by retweets and favorites.
-
Our paper on the Android Platform Security Model is now finally public: arxiv.org/abs/1904.05572. Many thanks to all the (partially anonymous) reviewers whose feedback has helped significantly to improve on earlier drafts as well as the many AOSP contributors. @DaveKSecure/1116531835071127552
-
PS: Dear @nest, it is, technically speaking, perfectly possible to turn on heating locally without cloud services. See e.g. @openHAB
-
Secure key handling for backdoors with multiple parties has not been shown workable in practice. Not a single time - and many have tried - did this work out securely at scale (at least we don't know any cases in public). So from our current best knowledge, we can't do it. @zackwhittaker/1235308493906812931
-
Anybody, not just Apple (and our own P0, obviously): please do that for Android! We all benefit from learning about and fixing security vulnerabilities. If you find anything, please reach out and we'll happily support publication of details as soon as the fix is out, as usual. @mattblaze/1170109132260683776
-
Happy to have our last version of "The Android Platform Security Model" now included in the official August 2021 edition of ACM Transactions on Privacy and Security: dl.acm.org/doi/10.1145/3448609. Fully open access - download, read, share, feel free to use however it's helpful 😉
-
Nice - creating cloned fingerprints using off-the-shelf inkjet printer and have them work on current smart phones: cse.msu.edu/rgroups/biometrics/Publications/Fingerprint/CaoJain_HackingMobilePhonesUsing2DPrintedFingerprint_MSU-CSE-16-2.pdf
-
cacm.acm.org/magazines/2021/6/252840-collusion-rings-threaten-the-integrity-of-computer-science-research/fulltext - Active collusion in academic peer review is disturbing. We knew it was always possible, but quite a lot of the research culture depends on honesty. I shudder to think how we should do research in an actively adversarial setting.
-
security.googleblog.com/2018/12/new-keystore-features-keep-your-slice.html: New blog post documenting two new Keystore features in Android Pie - Keyguard-bound keys and secure key import.
-
Thread: So, for my first time, I went to #BHUSA2018 (@BlackHatEvents) and #DEFCON26. I took my main phone and laptop, and on conference day 1 went completely non-anonymous with an Android platform security team T-shirt on. Let me tell you what happened. 1/n
-
Most talks from our #AndroidSecuritySymposium are now online at youtube.com/c/usmileAT-mobile-security with slides linked from usmile.at/symposium/program
-
The Android Enterprise Security Whitepaper is now online: source.android.com/security/reports/Google_Android_Enterprise_Security_Whitepaper_2018.pdf
-
It now takes 11 bugs/issues chained together to persistently exploit a modern Android phone. This is a nice validation for our defense in depth strategy. Bugs will happen, but they don't have to be (at least not directly) exploitable. Very nice work by the authors of this chain! @munmap/981360749938294784
-
engadget.com/2016/01/14/nest-software-bug/ - how much does it take to realize that life-critical functionality dependent on "the cloud" is not a good idea?
-
Btw, most talks are being recorded and will be made available in our #AndroidSecuritySymposium YouTube channel at youtube.com/c/usmileAT-mobile-security
-
Welcome, Pixel 3! I am particularly excited by the Titan chip, which implements StrongBox including Insider Attack Resistance (android-developers.googleblog.com/2018/05/insider-attack-resistance.html). And there are more security features like Protected Confirmation added with Pie (android-developers.googleblog.com/2018/08/introducing-android-9-pie.html). @sundarpichai/1049694448068612096
-
First introduced at scale with the Google Pixel and Android kernel, CFI now hits mainline to protect all other distributions as well. Thanks Sami and @kees_cook for making this happen. @lwnnet/1395750449379217408
-
"Our most important insight is that careful developer workflow integration is key for static analysis tool adoption." on static code analysis at @Google: cacm.acm.org/magazines/2018/4/226371-lessons-from-building-static-analysis-tools-at-google/fulltext
-
I would like to add that the Pixel 3a gets *all* the security features of Pixel 3, including the Titan M secure element with insider attack resistance, Protected Confirmation, AVB verified boot with firmware transparency, and quick updates. This is a great pair of devices. @backlon/1125830028720140288
-
@tmobileat Twitter is not the right medium for this. I am offering a phonecall to explain why this approach to password security is a very bad idea (happily in German as well). If you are interested, we'll find a slot that works across time zones.
-
Officially started at @Google today as Director of Android Platform Security. The next 2 weeks will be busy with learning details.
-
Happy 2nd Birthday! @xdadevelopers/1074885256371716096
-
github.com/pyca/cryptography/issues/5771: There's quite a bit more drama than seems warranted for security packages moving away from memory unsafe languages. Yes, Rust is a new build dependency, and that causes change/breakage in existing build pipelines. But we really need to stop writing new C.
-
After nearly 2 years in Mountain View, my family and I are moving back to Austria. While I am transitioning back to my academic role at @jkulinz as main job, I will remain involved with Android platform security to focus on mid- to long-term strategic vision.